Kannan Gopinathan alleged that the Voters’ Services Portal had not even conducted a “basic security review.”
Published Oct 01, 2025 | 9:00 AM ⚊ Updated Oct 01, 2025 | 9:00 AM
Former bureaucrat Kannan Gopinathan. Credit: x.com/naukarshah
Synopsis: Rahul Gandhi alleged 6,018 voters’ names were targeted for deletion in Karnataka’s Aland using the Election Commission’s insecure digital platforms. Former IAS officer Kannan Gopinathan’s security check revealed the Voters’ Services Portal scored 15/100 on Mozilla’s HTTP Observatory, lacking basic protections. Despite concerns, the EC has not addressed vulnerabilities, raising fears of mass voter roll manipulation through unchecked online deletion attempts.
In September 2025, the Leader of Opposition in the Lok Sabha Rahul Gandhi alleged that there were attempts to delete the names of 6,018 voters from the electoral rolls in Karnataka’s Aland constituency in 2023. He claimed that this was being done through a centralised software, by filling out deletion forms online on behalf of locals without their knowledge.
Days after these allegations were made, former IAS officer Kannan Gopinathan conducted a primary-level security check of the Voters’ Services Portal (voters.eci.gov.in) and the Voter Helpline App. He alleged that the platforms had not even conducted a “basic security review.”
The NVSP portal received just a 15/100 score on Mozilla’s HTTP Observatory site – a developer site that functions as “security report card” for websites. It scans headers, HTTPS setup, and cookie practices.
Q. What prompted you to conduct a security check of the voter services portal and the voter helpline app?
A. There was this question about what is happening in Aland where Rahul Gandhi had raised a representation that mass deletion and mass addition attempts have been made. This has essentially been done through one of these digital portals. It could be VHA, NVSP etc. I wanted to check how this could be possible and what kind of OTP flow and verification these platforms were doing.
I downloaded the VHA app, and once I opened it, I realised it basically runs Chrome right inside, basically using a WebView to render the content. Normally, apps are developed natively — for example, an Android app for Android devices or an iOS app for iPhones. But here, maybe for some sort of ease, or they wanted to take a shortcut, they seem to have simply wrapped the website voters.eci.gov.in in WebView and released it as an app.
Suddenly when it started showing that it was running chrome, I realised that it is not a very secure thing to do. If you are developing a sensitive application and a mobile app, you do not generally do a WebView rendering because it has to allow for cross-domain communication on that website. That is when I realised maybe they are not so concerned about the security aspect. This was the first red flag.
Then when I opened the website, I guessed that if they allowed the above, they would have to open up certain headers on the site which again would mean that they would not be able to do a lot of security checks.
Any website that you publish, has to go through a pre-production security review. One can do further penetration tests and other tests out there which are essentially automated scans to check how secure the website is. Here we didn’t do that, we did a basic header review to check whether the website is secure or not. That can be done very reliably through something that Mozilla has provided – their observatory Mozilla observatory. It is a developer’s portal for Mozilla. So you can put your website there and see whether all your headers are configured correctly or not, whether you are allowing for any malicious code injection.
Q. Can it be inferred that due to these flaws in the website and the app, information on the website, including names on the voter list, can be tampered with?
A. Tampered might be the wrong word. On Mozilla’s observatory, the ECI portal scored 15/100. Going into specifications, the session cookie is set without using the secure flag. Similarly, Strict Transport Security (HSTS) – which ensures a site can only be accessed over HTTPS, not the insecure and unencrypted HTTP — has not been implemented (As a result, browsers might still access the site over HTTP, leaving users vulnerable to attacks). These are very basic (criteria) that Mozilla gives very high scores for as these are the most important kind of security (features) that you should ensure, which they (EC) have not done. It is concerning that this has not been addressed after so many days.
This website (NVSP) is used for voter addition applications, voter deletion applications, objection to inclusion, shifting of voters etc. I am not saying it (applications) directly hits the database and makes changes there, we don’t know the backend architecture. What they could be doing is application management. I am assuming that this application for (addition, deletion, objection to voters list) will go and hit a particular server and then that should be transferred to the ERONET or where the electoral management is being done. It will then go to the Booth-level officer (BLO) for verification and then the manual field verification process is done; post this they will update it (application).
Hence it is far too dangerous for the website to be unsafe because there could be attempts to delete or malicious attempts to add voters. We still don’t know who has started it or who is behind it, whether someone funded it. That is where the lack of security on the website becomes a question. We don’t know if someone has run some kind of a script here or stolen the cookies.
The question is not whether they have directly tried to change any electoral roll. The question is that does it (the security flaws) allow for malicious mass coordinated deletion attempts or filing of addition (of voters) application attempts.
It has been over three days since I posted this on X. But the ECI has not done anything to change it. I am aware that they held a meeting and conducted a review but they have not gone ahead and made the necessary corrections because that would mean they will have to take the app and website down. That will create a lot of noise.
Q. After your post on X, there were a couple of media reports that pointed out that the Mozilla observatory score for the website improved. Is only a minor configuration needed to improve the cybersecurity score?
A. It shouldn’t have taken too much time to make these configurations. The only question is if they are allowing for some cross domain (communication) which again is suspicious if they are allowing that. We just checked it (score) right now and we don’t see any improvement.
It also could be that they were trying something out when they were checking those media reports. At that point of time the score would have changed but eventually came back to 15. That means there is some dependency on these headers that they are unable to change.
It was some sort of an integration, some sort of dependency with other apps. So now changing these headers itself is like a two minute job. But that is not the answer. It is a very easy thing to do. But by doing it, whether a login is happening from an app and is using this website. Now (with the change configuration) will this start getting blocked? So that they have to see this. That would again mean that they will have to take the VHA or the Garuda apps down. They would have to acknowledge that this has been a massive screw up.
For this to happen on a website as important as (ECI’s) which forms the backbone of our voter roll management, raises a lot of questions. Who did this? Whether they were competent to do that? It has been integrated with apps. It has been running on like that despite allegations of massive deletion attempts. They did not do a review. They did not try to see where they had gone wrong.
Q. What are some measures that you think need to be taken for the website and all these apps to remain safe and secure for people who are using them?
A. There is a pre-productive security review that needs to be done before publishing a website. This is what the EC should do as well. Firstly, they should do a security audit of all their systems including penetration tests etc. They need to put it out in the public domain that what is it that they were lacking and what changes are they going to do to make it right. Second, they need to do an audit of all mass deletion or addition attempts in the last few years, how many such attempts have happened. Whether it failed or succeeded is secondary.
It is not just about filing a trivial FIR and forgetting about it. If anything, the EC should be after the police and ask them to give the full details. They cannot say that the server data is not available, that is not how the apex election body of a country should be behaving. It should also be very clear that they (EC) are accountable to the public. It is a public funded institution. So when people raise questions, just dismissing them and asking “what is your credibility”, or “who are you to raise it” or attributing some motive behind it, these work in the political domain but not in public-funded institutions.
They should also try to answer the questions, be it from me or the Leader of Opposition. So many people have raised concerns regarding the electoral roll management. Be transparent about it. It will only improve the system. It is not like anybody is antagonistic against the EC.
Once they take a collaborative approach to security, I think a lot of people would have suggestions on how to go about it.
Moreover, we need to see whether an application like Form 7, which is a deletion application should be made easy. Form 6, I can still understand. It is a citizen service in the sense that I want to get involved in a particular constituency. So there is a rationale for making it easy. But whether Form 7 should be made easy because it is a deletion attempt and it is not my deletion. I am saying that someone else should be deleted (from the list).
So whether deleting somebody else’s vote should be made so easy. Should there be a more stringent burden of proof on the applicant to do that? Or whether it should even be done online, because it can be done at the constituency level locally. So these things have to be reviewed in the background of these kinds of coordinated attacks which have happened in multiple places. Trying to influence the election roll is actually trying to influence the election. So it is not just about the roll. If the roll is manipulated, the election is manipulated. That is a major concern.
(Edited by Amit Vasudev)
